Chief Executive Trevor Holden has now had to sign a Data Protection Act 1998 Undertaking to agree to comply with data protection.

Two incidents of personal data being mishandled, including private information about the health and ethnicity of individuals, were reported to the IC this year.

An IC investigation then revealed that the council had not properly implemented the IC’s past recommendations for employees to receive regular mandatory training in data protection which they made after ‘several previous incidents’ of data mishandling.

A council spokesperson said: “We will now record all staff who have received training and we will be refreshing the training every two years. All new staff will undertake training before they access personal data the council holds.”

In one incident, a social worker left the office to work from home due to bad weather and took paperwork with her.

Some of it, containing personal data about a vulnerable young person, was lost in an accident during a snowstorm on the journey home.

In another incident, an email containing personal data about a family, was sent unprotected across an internet connection.

The Luton News reported in February how Luton resident Russ Seeley was sent confidential information regarding two people suspected of income support fraud.

This incident was not mentioned in the latest IC report.

The Commissioner now requires the council to make the appropriate training mandatory by the end of November, to ensure all new staff are trained.